From Qualitative to Quantitative Proofs of Security Properties 
Using First-Order Conditional Logic 
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Abstract 

A first-order conditional logic is considered, with se- 
mantics given by a variant of e-semantics ( lAdams 19751 
IGoldszmidt & Pearl 1992t . where tp — >i/> means that Pr('i/) | 
ip) approaches 1 super-polynomially — faster than any inverse 
polynomial. This type of convergence is needed for reason- 
ing about security protocols. A complete axiomatization is 
provided for this semantics, and it is shown how a qualita- 
tive proof of the correctness of a security protocol can be au- 
tomatically converted to a quantitative proof appropriate for 
reasoning about concrete security. 

1 Introduction 

Security protocols, such as key-exchange and key- 
management protocols, are short, but notoriously 
difficult to prove correct. Flaws have been found 
in numerous protocols, ranging from the the 802.11 
Wired Equivalent Privacy (WEP) protocol used to pro- 
tect link-layer communications from eavesdropping 



and other attacks ( jBorisov, Goldberg, & Wagner 2001[ ) 
to standards and proposed standards for Se- 
c ure Socket Layer ([Wagner & Schneier 1996[ 

flitchell, Shma tikov, & Stern 1998| to Kerberos 
Bella & Paulso n 1998T NoT surprisingly, a great deal 
of effort has been devoted to proving the coiTectness of 
such protocols. There are two largely disjoint approaches. 
The first essentially ignores the details of cryptography 
by assuming perfect cryptography (i.e., nothing encrypted 
can ever be decrypted without the encryption key) and 
an adversary that controls the network. By ignoring the 
cryptography, it is possible to give a more qualitative proof 
of correctness, using logics designed for reasoning about 
security protocols. Indeed, this approach has enabled 
axiomatic proofs of correctness and model checking of 
proofs (see, for example, (Mi tchell, Mitchell, & Stern i997t 
IPaulson 1 9941 )). The second approach applies the tools 
of modern cryptography to proving correctness, using 
more quantitative arguments. Typically it is shown 
that, given some security parameter k (where k may be, 
for example, the length of the key used) an adversary 
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whose running time is polynomial in k has a negligible 
probability of breaking the security, where "negligible" 
means "less than any inverse polynomial function of fc" 
(see, for example, (BeUare, Canetti, & Krawczyk 1998 
lUoldreich 2001) ). 

There has been recent work on bridging the gap between 
these two approaches, with the goal of constructing a logic 
that can allow reasoning about quantitative aspects of secu- 
rity protocols while still being amenable to mechanization. 
This line of research started with the work of Abadi and 
Rogaway 120001 More recendy, Datta et al. 120051 showed 
that by giving a somewhat nonstandard semantics to their 
first-order Protocol Composition Logic (IDattaefa/. 2007) . 
it was possible to reason about many features of the com- 
putational model. In this logic, an "implication" of the 
form tp z) B is interpreted as, roughly speaking, the prob- 
ability of B given Lp is high. For example, a statement 
like secret encrypted D adversary does not 
decrypt the secret says "with high probability, if 
the secret is encrypted, the adversary does not decrypt it". 
While the need for such statements should be clear, the prob- 
abilistic interpretation used is somewhat unnatural, and no 
axiomatization is provided by Datta et al. 120051 for the D 
operator (although some sound axioms are given that use it). 

The interpretation of D is quite reminiscent of one 
of the interpretations of in conditional logic, where 
(fi ^ ip can be interpreted as "typically, if ip then 
tp" (Kraus, Lehmann, & Magidor 1990i. Indeed, one se- 
mantics given to — >, called e-semantics d Adams 19751 
Goldszmidt & Pearl 1992), is very close in spirit to that used 
in (Datta et al. 2005) : this is particularly true for the for- 
mulation of e-semantics given by Goldszmidt, Morris, and 
Pearl '1993' In this formulation, a formula ip ^ ip is eval- 
uated with respect to a sequence (Pri, Pr2, . . .) of proba- 
bility measures (probability sequence, for short): it is true 
if, roughly speaking, lim„^oo Prn('*/' \ f) = ^ (where 
Piki'i' I 'P) is taken to be 1 if Prk{ip) — 1). This formula- 
tion is not quite strong enough for some security -related pur- 
poses, where the standard is super-polynomial convergence, 
that is, convergence faster than any inverse polynomial. To 
capture such convergence, we can take iy9 — > -0 to be true 
with respect to this probability sequence if, for all polynomi- 
als p, there exists n* such that, for all n > n*, Pinii^ \ ^) > 
1 — l/p{n). (Note that this implies that liuin^oo Prn(V' I 



ip) = 1.) In a companion paper, it is shown that reinterpret- 
ing in this way gives an elegant, powerful variant of the 
logic considered in dPatta et al. 20051 1, which can be used to 
reason about security protocols of interest. 

While it is already a pleasant surprise that conditional 
logic provides such a clean approach to reasoning about se- 
curity, using conditional logic has two further significant ad- 
vantages, which are the subject of this paper The first is that, 
as I show here, the well-known complete axiomatization of 
conditional logic with respect to e-semantics continues to be 
sound and complete with respect to the super-polynomial se- 
mantics for thus, the axioms form a basis for automated 
proofs. The second is that the use of conditional logic al- 
lows for a clean transition from qualitative to quantitative 
arguments. To explain these points, I need to briefly recall 
some well-known results from the literature. 

As is well known, the KLM properties 
(Kraus, Lehmann, & Magidor 1990 1 (see Section|2|i provide 
a sound and complete axiomatization for reasoning about 
formulas with respect to e-semantics dGeffner 1992| l. 
More precisely, if A is a collection of formulas of the form 
ip', then A (e-)entails (p t/j (that is, for every 
probability sequence V, if every formula in A is true in P 
according to e semantics, then so is ip ^ -0), then ip ^ tp 
is provable from A using the KLM properties. This result 
applies only when A is a collection of — ^ formulas. A 
cannot include negations or disjunctions of formulas. 
Conditional logic extends the KLM framework by allowing 
Boolean combinations of statements. A sound and com- 
plete axiomatization of propositional conditional logic with 
semantics given by what are called preferential structures 
was given by Burgess I198U Friedman and Halpern 120011 
proved it was also sound and complete for e-semantics. 

Propositional conditional logic does not suffice for rea- 
soning about security. The logic of (Datt a et al. 200 5) is 
first-order; quantification is needed to capture important 
properties of security protocols. A sound and complete ax- 
iomatization for the language of first-order conditional logic, 
denoted Lc, with respect to e-semantics is given by Fried- 
man, Halpern, and Koller 120001 The first major result of 
this paper shows a conditional logic formula p is satisfiable 
in some model M with respect to e-semantics iff it is satisfi- 
able in some model M' with respect to the super-polynomial 
semantics. It follows that all the completeness results for 
e-semantics apply without change to the super-polynomial 
semantics. 

I then consider the language L^ which essentially con- 
sists of universal — > formulas, that is, formulas of the form 
Vxi . . . Va:„((/9 — >ip), where p and i/j are first-order formulas. 
As in the KLM framework, there are no nested formulas 
or negated formulas. The second major result of this pa- 
per is to provide a sound and complete axiomatization that 
extends the KLM properties for reasoning abut when a col- 
lection of formulas in Lq entails a formula in L^. 

It might seem strange to be interested in an axiomatization 
for Lp when there is already a sound and complete axiom- 
atization for the full language Lc- However, Lq has some 
significant advantages. In reasoning about concrete secu- 
rity, asymptotic complexity results do not suffice; more de- 



tailed information about security guarantees is needed. For 
example, we may want to prove that an SSL server that sup- 
ports 1,000,000 sessions using 1024 bit keys has a proba- 
bility of 0.999999 of providing the desired service without 
being compromised. I show how to convert a qualitative 
proof of security in the language LJI, which provides only 
asymptotic guarantees, to a quantitative proof. Moreover, 
the conversion shows exactly how strong the assumptions 
have to be in order to get the desired 0.999999 level of secu- 
rity. Such a conversion is not posisble with Lc- 

This conversion justifies reasoning at the qualitative level. 
A qualitative proof can be constructed without worrying 
about the details of the numbers, and then automatically con- 
verted to a quantitative proof for the desired level of security. 

In the next section, I review the syntax and semantics 
of conditional logic, with an emphasis on e semantics, 
and show how it can be modified to deal with the super- 
polynomial convergence that is more appropriate for reason- 
ing about security. In Section |3] I provide axioms and infer- 
ence rules for both qualitative and quantitative reasoning. 

2 First- Order Conditional Logic 

I review the syntax and semantics of first-order conditional 
logic here. Although I focus on first-order conditional logic 
here, it is straightforward to specialize all the definitions 
and results to the propositional case, so I do not discuss the 
propositional case further. 

The syntax of first-order conditional logic is straightfor- 
ward. Fix a finite first-order vocabulary T consisting, as 
usual, of function symbols, predicate symbols, and con- 
stants. Starting with atomic formulas of first-order logic 
over the vocabulary T, more complicated formulas are 
formed by closing off under the standard truth-functional 
connectives (i.e., A ,V, and =>), first-order quantification, 
and the binary modal operator — >. Thus, a typical formula is 
\/x{P{x)^3y{Q{x, y)^R{y)))- Let Lc(T) be the result- 
ing language. Let L^° (T) be the pure first-order fragment of 
Lc{T), consisting of — i-free formluas. Let Lp(T) consist 
of all formulas in Lc(T) of the form Vxi . . .\/xn{p> — '^i'), 
where p and ijj are in L^° - (I henceforth omit the T unless it 
is necessary for clarity.) Note that L^ does not include nega- 
tions of — > formulas or conjunctions of formulas. While 
not having conjunctions does not really impair the expres- 
sive power of Lp (since we will be interested in sets of L^ 
formulas, where a set can be identified with the conjunction 
of the formulas in the set), the lack of negation does. 

I give two semantics to formulas in Lc(T). In both se- 
mantics, the truth of formulas is defined with respect to PS 
structures. A PS structure is a tuple M = [D^W^n^V), 
where _D is a domain, is a set of worlds, vr is an interpre- 
tation, which associates with each predicate symbol (resp., 
function symbol, constant symbol) in T and world w e a 
predicate (resp., function, domain element) of the right arity, 
and V — (Pri, Pr2, . . .) is a probability sequence. As usual, 
a valuation V associates with each variable x an element 
V{x) G D. 

Given a valuation V and structure A/, the semantics of 
A, -I, and V is completely standard. In particular, the 



truth of a first-order formula in l/° in a world w, written 
(M, V,w) ^ (f, is determined as usual. For if G L^°, let 
I'/'Ja/.v = {w : (M, V, w) \= cp}. If is a closed formula, 
so that its truth does not depend on the valuation, I occasion- 
ally write {(pJai rather than [(ysjM.y- I write {M, V) \^ ip if 
(M, V,w) \= (fi for all worlds w. The truth of an — > formula 
does not depend on the world, but only on the structure AI. 

(M, V) 1= (fi^il; if lim Pr„ 



M,V 



\m,v) — 1, 
is taken to be 1 if 



where PTniliplM,v I Ma/.v) 
Pr„(MM,y) =0. 

I also consider an alternative semantics that gives super- 
polynomial convergence. A polynomial is positive if all its 
coefficients are nonnegative and at least one is nonzero. 

(M, V) \= (f^ijj if for all positive polynomials p, 
there exists some n* > such that, for all n > n* , 

Pr„(WAf,y I Mm,v) > 1 - 

As usual, I write M \= (pif {M, V) \^ (p for all valuations 
V, and M |= if Af ^ (yS for all PS structures in a set A^, 
and similarly with 1= replaced by 

3 Axioms for qualitative and quantitative 
reasoning 

In this section, I start by showing that qualitative reason- 
ing for both \= and |= is characterized by the same ax- 
iom system. I then provide a complete axiomatization for 
Lp. Finally, I consider quantitative conditional logic. In 
the axioms, it is convenient to use Nip as an abbreviation 
for -^ip — >false. Note that if (ys is a closed formula, then 
M 1= Np iff, for some n* , Y'v^HpIm) = for all n> n*, 
and similarly with |= replaced by . Thus, Nip can be 
read as saying "ip is almost surely true". 

3.1 Qualitative Reasoning 

As was mentioned in the introduction, Friedman, Halpern, 
and KoUer [2000 1 provide a complete axiomatization AXq 
for Lc with respect to |=. For the security applications, a 
generalization of their result is needed, where it is possible to 
restrict to models where all worlds satisfy a particular first- 
order theory A. Let \-\ denote provability in first-order logic 
given the axioms in the theory A. Let AX^ consist of the 
following axioms and rules: 

A-AX. V5, if (/3 e L^" and Ka p>- 

CO. All substitution instances of propositional tautologies. 
CI. ip — >ip. 

C2. {{p>^ilJi) A {p>^^2)) ^ (p^ii'i A V'2)). 

C3. (((/Pi^V) A ((^2^^)) ^ ((^1 V ^2)^V')- 

C4. {{ipi^ip2) A {ipi^^p)) {{p>i A p>2)^'ip). 

C5. [{ip^ij) Niip^ij)] A Hp>^ip) => N^{p>^iP)]. 

C6. -i{true — >false). 

Fl. \lxip ^ ip[x/t\, where t is substitutable for x in 
the sense discussed below and ip[x/t\ is the result of 
substituting t for all free occurrences of x in (see 
(lEnderton 1 9721 ) for a formal definition). 



F2. \/x{ip ^ -0) (yxip =^ yxt/j). 

F3. p Vxip if X does not occur free in ip. 

F4. X = y ^ {ipi ^ 1P2), where ipi is quantifier-free and 
ip2 is obtained from ip ihy replacing zero or more occur- 
rences of X in ipi by y. 

F5. x^y ^ N{x ^ y). 

MP. From ip and ip ^ infer i/i. 

Gen. From ip infer ^xp. 

Rl. From pii <^ ip2 infer ipi — ^ij] <^ ip2^ip- 

R2. From t/ji => V-'2 infer ip — ^-tpi p — >-?/'2- 

The axiom system AXc of 

( [Friedman, Halpern, & Koller 2000 1 does not have A- 
AX (this is needed to incorporate the theory A) and 
includes an axiom x — x that follows from A-AX; oth- 
erwise, the axiom systems are identical. As observed in 
( [Friedman, Halpern, & Koller 2000| ), the "positive" version 
of F5, X = y ^ N(x = y), is also sound. It is not included 
in the axiomatization because it is provable from the other 
axioms. 

It remains to explain the notion of "substitutable" in Fl. 
Clearly a term t with free variables that might be captured 
by some quantifiers in ip cannot be substituted for x; for ex- 
ample, while 'ix3y{x ^ y) is true as long as the domain 
has at least two elements, the result of substituting y for x is 
3y{y ^ y), which is surely false. In the case of first-order 
logic, it suffices to define "substitutable" so as to make sure 
this does not happen (see (Enderton 1972) for details). How- 
ever, in modal logics such as this one, more care must be 
taken In general, terms cannot be substituted for universally 
quantified variables in a modal context, since terms are not 
in general rigid; that is, they can have different interpreta- 
tions in different worlds. To understand the impact of this, 
consider the formula Va;(-iAfP(a::)) ^ ^NP{c) (where P 
is a unary predicate and c is a constant). This formula is not 
valid in PS structures. For example, consider a PS structure 
with two worlds wi and W2, and a domain with two elements 
di and ^2- Suppose that in world wi, P{di) holds, P{d2) 
does not, and c is interpreted as di, while in world W2, P{d2) 
holds, P{di) does not, and c is interpreted as c?2. Then it is 
easy to see that NP{c) holds in both worlds, but NP{x) 
holds in only one world, no matter how x is interpreted. If 
Pr„(wi) = Pr„(w2) = 1/2 for all n, then M \= NP{c), 
while M \= \/x{^NP{x)). Thus, if p is sl formula that has 
occurrences of — >, then the only terms that are considered 
substitutable for x imp are other variables. 

It is interesting to contrast Rl, R2, and C4. While R2 
allows a formula ipi on the right-hand side of — > to be re- 
placed by a weaker formula ip2 (that is, a formula such that 
that tpi tp2 is provable), Rl just allows a formula ipi 
on the left-hand side of — > to be replaced by an equivalent 
formula ip2, rather than a stronger formula. C4 allows the re- 
placement of a formula ipi on the left-hand side by a stronger 
formula, ipi A ip2, but only if ipi — >ip2 holds. Intuitively, this 
says that if ip2 and t/j each almost always hold given ipi, then 
Ip almost always holds given both pi and ip2- Monotonicity 



does not hold in general. That is, if if ipi =^ ip2 is prov- 
able and (fi2 — ^"ip holds, then ipi — does not necessarily 
hold. For a simple counterexample, it is not the case that if 
true — i-ip holds then -ntp—^ijj holds. If 'ip{x) states that x can- 
not break the encryption, it seems reasonable to expect that, 
almost always, x cannot break the encryption (true — >ip{x)), 
but it surely is not the case that x cannot break the encryp- 
tion given that x can break it. 

The remaining axioms and rules are easy to explain. In 
particular, C2 says that if both ipi and ip2 almost always hold 
given (fi, then so does ipi A while C3 allows reasoning 
by cases: if ip almost always holds given each of ipi and (p2, 
then it almost always holds given their disjunction. 

I want to show that AX^ is also sound and complete for 
the ^ semantics. The key step in doing that is to show 
that a formula is satisfiable with respect to the ^ semantics 
iff it is satisfiable with respect to the |= semantics. 

Theorem 3.1: If M = {D,^^,^,!^) is a PS structure 
and D is countable, then there exists a probability se- 
quence V' such that, for all valuations V, (Af, V) \^ ip iff 
(M', V) h where M' = {D, W, tt, V' ). 

Proof: Suppose that M = {D, W, tt, V), where D = 
{di,d2, ■ ■ ■} (D may be finite), and V = (Pri, Pr2, . . .). 
Let L = {(fi — >-ipi,(p2 — >-ip2, ■ ■ ■) be a list of all formu- 
las of the form ip' — ^ip' in Lc with the property that if 
(M, V') \^ ^{ip'^^jj') for some valuation V\ then ip'^ip' 
appears infinitely often in L. Suppose that the set of vari- 
ables is {xi,X2, ■ ■ ■}■ (I am implicitly assuming that the 
set of variables is countable, as is standard.) Let V„ be 
the set of valuations V such that V{xi) G {di, . . . , c?„} for 
i = 1, . . . , n and V{xm) — di for all m > n. Given a 
valuation V' and a formula tp e Lc, there exists n such 
that, for all free variables x in ip, x G {xi, . . . and 
V'{x) G {di, d„}. Thus, (M, V) ^ f for some val- 
uation V' iff {M, V') ^ (f for some valuation V' G V„. 
Suppose that the elements of V„ are V", . . . , V|y | . 

Since V„ is finite, there is a subsequence V' = 
(Pr'ii, . . .Pri|Vi|,Pr^i, . . ■ ,Pr2|V2h ■ ■ ■) of V with the fol- 
lowing properties, for 1 < m < |V„|: 

for all j <n and V G V„, if (M, V) h y^j^^j, 
then Pr:,„(I^,lM,y, | l^,jM,v') > 1 - 

if (M, V;;,) h -((^n^V-n), then 
Pr^m([V'n]M,y^ I bnlM.v^) < 1 - where k 
is the smallest integer such that, for infinitely many 
indices h, Prh(I-0„]Af,y^ | [(/JnUf^y^) < 1 - 

(There must be such a k, since lim/j^oo Pi'hdV'nlM.y" 

I^/PnlM.y^) ^ 1-) 

Let M' - {D, W, n, V). I now prove that (M, V) ^ ip iff 
(Af, V) ^''P If for all valuations V and formulas (p G Lp 
by a straightforward induction on the structure of (p. If (p is 
an atomic formula, this is immediate, since M and M' dif- 
fer only in their probability sequences. All cases but the one 
where p has the form — follow immediately from the 
induction hypothesis. If ip has the form p}' — ^ijj' , first sup- 
pose that (Af, V) \= p}' — s-V''. Fix a polynomial p. There 
must exist some n* such that (a) for all free variables x in 



ip' or tA', X G {xi, . . . ,a;„-} and V{x) G {di, . . . dn*}, (b) 
p{n) < 1/n" for all n > n*, and (c) (p' — ^ip' is among 
the first n* formulas in L. It follows from (a) that for 
all n > n*, there exists some V' G Vn such that V' 
and V agree on all the free variables in p' — i-i/;'. It then 
follows from (b), (c), and ([T]i that, for all n > n* and 
1 < m < |V„|, Pr;„(IV/lM,y | MMy) > 1 - l/p{n). 
Thus, iM,V) p'^iP'. 

If (Af, V) \= -i(</3'— s-f/;')' there must be some minimal 
k such that Vih{W}M,v \ Winy) < 1 - 1/fc for in- 
finitely many indices h. Since p' — s-^/;' occurs infinitely of- 
ten in L, it easily follows from ^ that, for infinitely many 
values of n and h, VY^uiWiMy I Winy) < 1 - 
Let p{n) = k (so p{n) is a constant function). It follows 
thatPr;,,(|V''lM,y | W\My) < 1 - l/p{n) for infinitely 
many values of n and /i. Thus, {M,V) 1="^ -^{p>' — 
This completes the proof. | 

Let VS{A) consist of all PS structures M where every 
world satisfies A. 

Theorem 3.2: AX^ is a sound and complete axiomatization 
for 'PS{K) with respect to both and \= ^p. That is, the 
following are equivalent for all formulas in Lc{T): 

(a) AX^ h -p; 

(b) P5(A) h ^; 

(c) VS{A) ^. 

Proof: The equivalence of parts (a) and (b) for the 
case that A = is proved in Theorem 5.2 of 
(Friedman, Halpern, & Koller 2000). The same proof shows 
that the result holds for arbitrary A. To show that (a) implies 
(c), I must show that all the axioms are sound. The sound- 
ness of all the axioms and rules other than C2, C3, C4, and 
C5 is trivial. I consider each of these axioms in turn. 

For C2, suppose that M = W, tt, (Pri, Pr2, . . .)) is a 
PS structure such that M |= "p p^tpi and M \= ''p (/?— *-(/'2- 
Since M 1=*^ p—>-ipi, i = 1,2, given a positive polyno- 
mial p, there exists n\,n2 > such that, for all n > n*, 
Pl■n{li^^^My I Mny) > 1 - l/2p{n), for ^ = 1,2. For 
alln > max(n5;,n^), Pr„(|7/;,] | [pij) < l/2p{n). Thus, 
for n > max(n*, 712), 

Pr„(|^i A V2]M,y I Mm,v) 

> l-(Pr„(|^i] I M)+Pr„(M I M)) 

> 1 1 ^ 

— 2p(n) 2p(n) 

p(n) 

For C3, note that 

Pr(A \B1UB2) 
= Pr((AnBi U AnS2) I Si UB2) 
= Pr(AnBi I Si UB2) + Pr(AnB2 I Si UB2) 

-Pr(AnSi nB2 I B1UB2) 
= Pr(A I Bi) xPr(Bi I B1UB2) 

+ Pr(A I B2) X Pr(B2 | B1UB2) 

-Pr(AnBi nS2 I B1UB2). 

(3) 

Now suppose that A/ \=''p pi — i-ip and AI \^''p p2 — ^tp- 
Given a positive polynomial p, as in the case of C2, there 



exist n* and such that, for all n > n*, Pr„(|V']Af,y | 
[</'i]M,y) > 1 — l/2p(?^), for i = 1,2. It easily follows 
from Q that if n > max(n^, 7X2), then 

Pr„(MM,v I V(^2]M,y) 

> (1 - 2^)Pr"(bi]Af,y I I<^i V (^21m,v) 
+ (1 - 2R;ry)Pr„([^2lM,v I V 
-Pr„(|?/; Aipi A ip2jMy I I<^i V (p2jM.v) 

+ (1 - 2R;iy)Pr„(Iv'2lM,v I V Hm,v) 
-Pr„(|v3i A ip2jM.V I I'/'i V (p2jM.v) 

^ (1 - 2^)[Pl-n(bllM,y I bl V ip2]ALv) 
+Pr„(|v32lM,V I V (/721m,v) 

-Pr„(|v3i A V321m,v I I'/'i V ip2jM.v)] 

-l^^^nil'Pl A V521m,V I {(Pl V (P21m,v) 

> (-1 1 ^ 1 

— V-^ 2p(n) ^ 2p(rj) 
p(n) 

For C4, note that 

Pr(Ai I A2 n B) 
= Pr(Ai n A2 I B)/ Py{A2 I S) > Pr(A2 n ^2 | S), 

so the argument follows essentially the same lines as that for 
C2. 

Finally, C5 follows easily from the fact that the truth of 
a formula of the form ip — ^V' or -1(1^ — is independent of 
the world, and depends only on the probability sequence. 

Finally, I must show that (c) implies (b). Suppose not. 
Then there exists a formula (p such that VS{A) ^ 
ip but P5(A)/t^(y5. Thus, there exists M e VS{A) 
and valuation V such that (M, V) /(=(p. The proof in 
( Friedman, Halpern, & KoUer 2000) l shows that if a formula 
is satisfiable with respect to ^ at all, then it is satisfiable in a 
structure in VS{A) with a countable domain. Thus, without 
loss of generality, M has a countable domain. But then it 
immediately follows from Theorem 13. II that 'PS{A) ^ '^Pip. 
I 

I next completely characterize reasoning in L^. I start by 
considering the fragment of consisting of all formu- 
las of the form ip — >ip where ip and are closed first-order 
formulas. Thus, does not allow formulas to be uni- 
versally quantified. Consider the following rules: 

LLE. If Ka ipi ip2, then from ipi^ip infer ip2 — >-ip (left 
logical equivalence). 

RW. If Ka tpi V2, then from ip — i-ipi infer (p^tp2 (right 
weakening). 

REF. ip — yip (reflexivity). 

AND. From ip — i-tpi and p^ip2 infer ip — A -02. 

OR. From ipi — i-tp and ip2^4' infer ipi V (p2 — >-tp- 

CM. From pi^(p2 and ipi^tp infer ip A (p2 — >-ip (cautious 
monotonicity). 

This collection of rules has been called system Pa 
( |Kraus, Lehmann, & Magidor 1990| l or the KLM propertied 

'a is not usually mentioned explicitly, but it will be useful to 
do so for the results of this paper. 



The rules are obvious analogues of axioms in AX^. In par- 
ticular, LLE is the analogue of Rl, RW is the analogue of 
R2, REF is the analogue CI, AND is the analogue of C2, OR 
is the analogue of C3, and CM is the analogue of C4. Given 
a collection A of ^ formulas, I write Pa h A ^ tp — >■■;/; if 
(p> — >'4! can be derived from A using these rules. A deriva- 
tion from A consists of a sequence of steps of the form 
A ^ p — "f^jj, where either (a) (p—>-ip G A, {h) p — 
(which can be viewed as an application of the axiom REF), 
or (c) ip — yip follows from previous steps by application of 
one of the rules in Pa. All the rules above have the form 
"from pi ipi,...pn V'i' infer p> -ip"; this can 
be viewed as an abbreviation for the rule scheme "from 
A ^ pi — >ipi, . . . A ^ pn — ytpn infer A '-^ p — >ip", with 
the same A everywhere. Although, for all these rules, the set 
A is the same everywhere, later there will be rules where dif- 
ferent sets A are involved. I write (A/, |= A ^ p — >%p 
if (A/, V) \= p}' — >%p' for every formula p' — >ip' G A im- 
plies that (M, V) \= p — ^ip. (For a formula p—>-ijj G L^, p 
and Ip are closed, so {M, V) \= Lp — ^ip iff M \= ip^ip. 
However, in L^ there are open formulas, so the valua- 
tion V plays a role.) I write VS{A) ^ A ^ (p^ip if 
{M, y) 1= A ^ p — i-ip for all PS structures M and valua- 
tions V. As usual, a rule is said to be sound if it preserves 
truth (in this case, with respect to all (M, V)); that is, if all 
the antecedents hold with respect to (M, V), then so does 
the conclusion. 

The following result is well known. 

Theorem 3.3 : Ij^Kraus, Lehmann, & Magidor 1990 
\Geffner 1992} If A U {p^^ip} ~ T^, Then 
Pa I- A ip^ip iffVS{A) ^ A ps^ip. 

I want to extend this result from L^ to L^, and to the 
1= semantics as well as the [= semantics, so as to make it 
applicable to reasoning about security protocols. I actually 
extend it to L^ UL-^° . A collection A of formulas in L^ UL-^° 
can be written as A_+ U A/o, where A^ C L^ and A/o C 
lJ° . Consider the following strengthening of LLE: 

LLE+. If HauA/„ p <^ Ip, then from A ^ pi — >-ip infer 

A ^ p2^i^- 

RW can be similarly strengthened to RW^. 

Some rules from AX^ to deal with the universal quantifi- 
cation are also needed, specifically, variants of A- AX, Fl, 
and F3, and another rule similar in spirit to F3: 

A-AX+. If l-AuA/„ then A ^ 

F1+. From "ixp infer p[x/ z], where z is a variable that does 
not appear in p. 

F3+. If a; does not appear free in A, then from A ^ (ys infer 

A ^ \/xp. 

EQ. If X does not appear free in A, p, or ip, and cr is a 
first-order formula, then from A U {cr} '-^ p) infer A U 
{3xcr} ^ p> (existential quantification). 

REN. If yi, . . . ,yn do not appear in p, then from 

yxi,...,XnP infer Vyi, . . . , y„((p[a;i/yi, . . . , a;„/y„]) 
(renaming). 



But these rules do not seem to suffice. Intuitively, what 
is needed is a way to capture the fact that the domain is the 
same in all worlds In AX^, the one axiom that captures this 
is F5. Unfortunately, F5 is not expressible in L^. To capture 
its effects in Lq, a somewhat more complicated rule seems 
necessary. 

Definition 3.4: An interpretation-independent formula 
is a first-order formula that does not mention any constant, 
function, or predicate symbols (and, thus, is a formula whose 
atomic predicates all are of the form x — y). 

The following rule can be viewed as a variant of the OR rule 
for interpretation-independent formulas. 

II. If A U {cTi} > iy9, A U {(72 } ^ 'f, and cti and (72 
are interpretation-independent, then AU{criVcr2}^'P 
(interpretation independence). 

Let consist of Pa (with LLE and RW replaced by 
LLE"'' and RW+, respectively) together with F1+, F3+, EQ, 
REN, and II. 

Tlieorem3.5: //A U {(p) C U L^°, then the following 
are equivalent: 

(a) P+ h A ^; 

(b) PS{A) h A ^; 

(c) VS{A) \^'P if. 

Proof: The argument for soundness (that is, that (a) implies 
(c)) for the axioms and rules that also appear in Pa is es- 
sentially done in the proof of Theorem 13.21 the soundness 
of F1+, F3+, EQ, and REN is straightforward. The sound- 
ness of II follows easily from the observation that, since 
there is a fixed domain, if cti and f72 are interpretation in- 
dependent and (Af, V) |= (T2 V (J2, then (M, V) ^ ui or 
(M, V) \^ a2- This would not be the case for a formula 
such as di = d2 V di = da. It could be that, for every 
world w, {M, V, w) |= di = d2 V di = da, with either 
di = d2 being true in every world or di = da being true in 
every world. 

The fact that (c) implies (b) follows just as in the proof of 
Theorem |3.2| using Theorem |3.1| Thus, it remains to show 
that (b) implies (a). As usual, for completeness, it suf- 
fices to show that if P^)^A ^ Vxi . . . Va;„(</5 — ^ip), then 
there is a structure M G ^^^(A) and valuation V such that 
M h A and {M, V) ^ -V.ti . . . Va;„((^^V)- The idea 
is to reduce to Theorem [33] by transforming to a situation 
where the rules in Pa suffice. Let Distk be the formula that 
says that there are at least k distinct domain elements; 

3x1 .. . 3xk{/\i<i<j<kXi ^ Xj). 

Note that Distk is interpretation-independent. Let Aq = A; 
let A„+i = A„ U {Dtstn+i} if Pjf A„ U {Distr,+i} ^ 
ip — and let A„+i = A„U{-i-Disi„+i} otherwise; finally, 
let Aoo = U„A„. 

An easy induction using II and A-AX+ shows that 
Fj^/-An ^ Wxi . . .yxn{(p*—>-ip*) for all n, and hence 
PX)^Aoo ^ Va;i . . .\fxn{ip*^'>p*)- Let k* be the lai-gest 
k such that Distk G Aqo (where take fc* = oo if, for all k, 
Distk G Aoo)- Intuitively, k* will be the size of the domain 
in the PS structure that we construct. 



By REN, I can assume without loss of generality that 
xi, . . . ,Xn do not appear in Aoo- Thus, from F3+, it fol- 
lows that P^ j^Aoo ^ f — *■■(/'- A formula is a (complete) 
equality statement for . . . , a:„ if it is a conjunction of 
formulas of the form Xi = Xj and Xi ^ Xj , such that for all 
^ ^ i < j ^ n, either Xi — Xj or Xi ^ Xj is a conjunct. 
Note that a complete equality statement is interpretation- 
independent, and some equality statement must be true of 
every valuation. It thus follows (using II and A-AX+), that 
P^ j^Aoo U {a} ^ if — >ip, for some equality statement a. 
An equality statement a partitions xi, . . . ,Xn into equiva- 
lence classes, where it follows from a that all the variables in 
each equivalence class are equal to each other, but variables 
in two different equivalence classes are not equal to each 
other Suppose that there are h equivalence classes. Clearly 
h < k* (for otherwise (T would be inconsistent with distk* S 
Aoo, so it would follow that Pj h Aoo U {a} ^ ip — ^ifj). 
Without loss of generality, I can assume that xi, . . . ,Xh are 
in distinct equivalence classes (so that a implies that, for 
all j, xi = Xj V . . . V Xfi = Xj). Let ip' and ip' be the 
result of replacing Xj for j > h hy Xi for i < h, where 
(T ^ Xi — Xj. It easily follows, using LLE+ and RW+, that 
P;[ j^Aoo U {cr} ^ ip'^ip'. Let y„ 1 < i < k* + 1 ~ h 
be fresh variables (where k* + 1 — h = oo if fc* — oo) 
that do not appear in A, ip', or Let A|^ = Aoo U {cr}; 
if m > 0, let A™ = A^-i U {(Ai<,<™2/™ ^ A 
{Ai<j<hy,n ^ Xj)}. Let At = Ui<fc.+i_/iA^. I claim 
that P^)^At ^ (p' — . To show this, since proofs are 
finite, it suffices to show that P^j^A™ ^ (p' — for 
all m < k* + 1 — h. I do this by induction on m. For 
m — 0, this is true by assumption. Suppose, by way of con- 
tradiction, that P^ h A™ ^ ip'—>-->p'. For to > 0, note 
that A™ has the form Aoo U {cr°, . . . , ct™}, where y^ 
appears only in cr™. It thus follows from EQ that Pj h 
AJJ U {cr", . . . , cr™-i, 32/™cr"} ^ (p' ^ij/ . It is easy to 
see that Dist„i 3ymcr™ is valid. Since Distm £ Aoo, 
it follows that P^ h A™^^ ^ (p' — »■?/'', contradicting the 
inductive hypothesis. 

Let D = {dj : 1 < i < fc* + 1} consist of fresh 
constant symbols not in T U {ci, . . . , c„}. Let an instan- 
tiation of Vxi . . . Mxnif' — ^i^') be a formula in of the 
form if" — ^^jj" that results by replacing each free variable 
in (p' — >il>' by some element of D. For example, the in- 
stantiations of \/xyy{P{x,y) — >Q{y)) are all formulas the 
form P{di,dj) — >Q{dj). Let A* be the result of replacing 
each formula Va;i . . . \/xn{(p' — >-ip') in A by all its instantia- 
tions, and replacing the free variables xi, . . . ,Xh,yi,y2, ■ ■ ■ 
in the formulas in A^ — A by di, d2, . . . respectively. Let 
(p* and ijj* be the result of replacing xi, . . . ,Xh in (p' and tp' 
by di, . . . , dfi, respectively. I claim that PauA* j^Al^ ^ 
(p* — Suppose, by way of contradiction, that PauA* I~ 
A*_^ ^ p*^iP*. Then clearly Pj (- A* p*^ip*. Let 
Ai be the result of replacing all occurrences of di, d2, . . - 
hy xi,...,Xh, J/1,2/2, - • -, respectively. Then Pj h Ai 
(p' — i-ip' (simply replace the constants d^ by the appropriate 
variables in each line of the derivation of ip* — More- 
over, Ai has the form A2 U (A^ — A), and, by F1+ and 
A-AX+, it easily follows that A U (A^ - A) ^ (p'^ip"; 



that is, ^ ip'^'ifj'. This gives us the desired contradic- 
tion. 

Since Paua* f ^ (p*^V'*, it follows by Theo- 
rem [33] that there exists a PS structure M € VS{A) and 
a valuation V such that M \= A* and M [= (p*^Tjj*. 
Moreover, by standard arguments (used, for example, in 
( Friedman, Halpern, & Roller 2000 1) the domain of Af can 
be taken to be countable. Since Distk G A* for all k < k*, 
and if k* < oo, ^Distk' G A*, all the worlds in M musH-t 
have domain size k* (where, if k* = oo, the domain is 
countable). Hence, I can assume without loss of general- 
ity that all the worlds have the same domain, which can be 
take to be Z) {di : i < k*}; moreover, di can be taken 
to be the interpretation dj in each domain. It follows that 
M \= A, and M j^ip^-ip, as desired. | 

3.2 Quantitative Reasoning 

The super-polynomial semantics just talks about asymptotic 
complexity. It says that for any polynomial p, the conclusion 
will hold with probability greater than 1 — l/p{n) for suffi- 
ciently large n, provided that the assumptions hold with suf- 
ficiently high probability, where n can be, for example, the 
security parameter While this asymptotic complexity cer- 
tainly gives insight into the security of a protocol, in prac- 
tice, a system designer wants to achieve a certain level of 
security, and needs to know, for example, how large to take 
the keys in order to achieve this. In this section, I provide a 
more quantitative semantics appropriate for such reasoning, 
and connect the qualitative and quantitative semantics. 

The syntax of the quantitative language, which is denoted 
Lc g, is just like that of the qualitative language, except that, 
instead of formulas of the form — ^ijj, there are formulas 
of the form Lp — »■''?/', where r is a real number in [0, 1]. The 
semantics of such a formula is straightforward: 

(M, V) \= Lp—>-^i/j if there exists some n* > such that 
for all n > n*, Pr„(|?MM,v | Mm,v) >l~r). 

I define Lq ^ in the obvious way. 

For each of the axioms and rules in system Pa, there is a 
corresponding sound axiom or rule in ^: 

LLE''. If hAuA/„ 'Pi f2, then from A ^ (pi^^^ infer 

A 1^2— 

RW. If KauA, ipi =^ '02, then from A ^ ip — infer 

A ^ ip^'^^l. 

REF9. ip^°ip (reflexivity). 

AND"?. From ip—^-^^ipi and ip—>-'^^ip2 infer ip—>-'^^ipi A ip2, 
where r-s = min(ri + r2, 1). 

OR^. From ipi — >-'^^ip and ip — >-'^^ip2 infer ipi V (p2 — ^■^'^ip, 
where — max(2ri, 2r2, 1). 

CM'?. From (pi — *'^'^(p2 and (pi — infer ip A (p2 — ^■^'^ip, 
where = max(ri + r2, 1). 

Let Pa '* denote this set of rules, together with F1+, F3+, 
EQ, REN, and II (all of which hold with no change in the 
quantitative setting), and 

INC. If ri < r2, then from ip — ^^^tp infer (p — 



Theorem 3.6: The rules in Pa'* are all sound. 

Proof: The soundness of the quantitative analogues of the 
rules in Pa is immediate from the proof of Theorem 13.21 
The soundness of remaining rules holds as it did before 
(since they are unchanged). PS structure | 

I do not believe that Pa * is complete, nor do I have a 
candidate complete axiomatization for the quantitative lan- 
guage. Nevertheless, as the proofs in (IDatta et al. 20081 1 
show. Pa'* suffices for proving many results of interest in 
security. Moreover, as I now show, there is a deep relation- 
ship between Pj and Pa'*- To make it precise, given a 
set of formulas A C L^i., say that A' C , is a quanti- 
tative instantiation of A if, for every formula ip^ip G A, 
there is a bijection / from A to A' such that, for every for- 
mula If — "f^jj e A, there is a real number r G [0, 1] such that 
f{ip — = 'P — *''^0- That is. A' is a quantitative instantia- 
tion of A if each qualitative formula in A has a quantitative 
analogue in A'. 

Although the proof of the following theorem is straight- 
forward, it shows the power of using of P|^. Specifically, it 
shows The following theorem shows that if ip — ^ip is deriv- 
able from A in P^ then, for all r G [0, 1], there exists a 
quantitative instantiation A' of A such that tp — >■''?/; is deriv- 
able from A' in Pa'*- Thus, if the system designer wants 
security at level r (that is, she wants to know that the desired 
security property holds with probability at least 1 — r), then 
if she has a qualitative proof of the result, she can compute 
the strength with which her assumptions must hold in order 
for the desired conclusion to hold. For example, she can 
compute how to set the security parameters in order to get 
the desired level of security. This result can be viewed as 
justifying qualitative reasoning. Roughly speaking, it says 
that it is safe to avoid thinking about the quantitative details, 
since they can always be derived later Note that this re- 
sult would not hold if the language allowed negation. For 
example, even if ^{ip — >ipi) could be proved given some as- 
sumptions (using the axiom system AX^), it would not nec- 
essarily follow that ^{p — >'^ip) holds, even if the probability 
of the assumptions was taken arbitrarily close to one. 

Theorem 3.7: IfPX h A p^ip, then for all r G [0, 1], 

there exists a quantitative instantiation A' of A such that 
P^'* h A' ^ p — >'^ip. Moreover, A' can be found in poly- 
nomial time, given the derivation of A ^ ip — ^-ip. 

Proof: The existence of A' follows by a straightforward in- 
duction on the length of the derivation. If it has length 1, 
then either ip = ip, in which case it is an instance of REF', 
or (p — >ip G A, in which case I simply take A' such that it 
includes (p — >^ip. For the inductive step, the only nontrivial 
case is if p — follows from earlier steps by an instance of 
a rule of inference in P^. The result then follows by a sim- 
ple case analysis on the form of the rule. For example, if the 
AND rule is used, then ip — >tp has the form ip — >ipi A ip2, 
and there are shorter derivations of A ^ p—>-ipi and 
A ^ p — y^2- Choose si, S2 G [0, 1] such that si + S2 = ?EI 



'it suffices to take si = S2 ~ r/2, but there is an advantage to 
having this greater flexibility; see the discussion after the proof. 



By the induction hypothesis, there exist variants Ai and 
A2 such that P;^''' h Ai •f^'"4>i, for i = 1,2. 
Let A3 be a quantitative instantiation of A that dominates 
both Ai and A2, in the sense that if ip' — S A^, for 
i = 1,2,3, then > max(ri,r2). Then it is easy to see 
that P;^;''' h A3 for i = 1,2. By AND?, it 

easily follows that P^'''A3 ^ (p— A ■02- The argument 
for all the other rules in P J is similar This argument also 
shows that finding A' from the proof of A ^ cp^tp just 
involves solving some simple linear inequalities, which can 
be done in polynomial time. | 

The proof of Theorem 13.71 gives even more useful infor- 
mation to the system designer. In general, there may be a 
number of quantitative instantiations A' of A that give the 
desired conclusion. For example, as the proof shows, if the 
AND rule is used in the qualitative proof, and we want the 
conclusion to hold at level r, we must just choose si and 
S2 such that p — ^ipi and p — >-ip2 hold at level si and S2, re- 
spectively. If the system designer finds it easier to satisfy 
the first formula than the second (for example, the first may 
involve the length of the key, while the second may involve 
the degree of trustworthiness of one of the participants in 
the protocol), there may be an advantage in choosing si rel- 
atively small and §2 larger As long as si + S2 = r, the 
desired conclusion will hold. 
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